The Gentlemen

The Gentlemen is a ransomware-as-a-service (RaaS) cybercrime group tracked by Microsoft as Storm-2697. The group emerged publicly in 2025, with reporting placing its appearance from mid-2025 to September 2025, and rapidly became one of the most active ransomware operations by published victim count. Multiple reports describe it as a fast-growing RaaS operation and one of the top ransomware groups globally by victim volume. The group is financially motivated and uses double extortion, combining file encryption with data theft and leak-site pressure. Reporting states that The Gentlemen claimed hundreds of victims across dozens of countries, with victims spanning multiple regions and sectors. Manufacturing is specifically identified as a top targeted sector, with additional reporting citing technology, business services, healthcare, industrial organizations, and some consumer-facing entities. Geographic reporting indicates broad international targeting, with activity noted across Southeast Asia, South America, Western Europe, Latin America, Europe, and Asia; some reports specifically highlight the UK, Germany, Thailand, Brazil, India, and a relatively smaller share of victims in the United States. The Gentlemen is widely described as affiliate-driven and aggressively recruits operators by offering a 90% affiliate revenue share. Reporting states that experienced affiliates moved to The Gentlemen from older ransomware operations including DragonForce and LockBit. The group has been linked to Qilin lineage: multiple sources state it originated from, defected from, or splintered from Qilin, including the ArmCorp affiliate crew. PRODAFT reported that Phantom Mantis transitioned into The Gentlemen as an independent partnership program in July 2025. Phantom Mantis is described as having previously operated as an affiliate using LockBit, Qilin, and Medusa resources. Reported aliases and related names in the content include Phantom Mantis, ArmCorp, Storm-2697, hastalamuerte, zeta88, nobody0, santamuerte, and LARVA-368. The group’s intrusion tradecraft centers on rapid compromise of internet-facing systems and fast progression to encryption. Reported initial access methods include exploitation of vulnerable edge devices and services, especially Fortinet FortiGate/FortiOS systems, VPNs, firewalls, SSL VPN portals, RDP, and stolen credentials sourced from infostealers or compromised Outlook Web Access and Microsoft 365 accounts. Specific vulnerabilities directly mentioned in reporting on The Gentlemen include CVE-2024-55591 in FortiOS/FortiProxy, as well as use of older Active Directory weaknesses such as ZeroLogon and PetitPotam. Additional reporting from leaked internal communications states the group tracked or used CVE-2025-32433 and CVE-2025-33073. Post-compromise behavior described in the content includes LDAP and Active Directory enumeration, privileged group discovery, credential theft, abuse of misconfigured Active Directory Certificate Services, PKINIT, UnPAC the hash, DCSync, use of WinRM, RDP, WMI, PsExec, PowerShell Remoting, NetExec, Group Policy Objects for domain-wide deployment, and exfiltration with rclone or WinSCP. The group has also been reported using SystemBC as a proxy/backdoor and Cobalt Strike as backup command-and-control infrastructure. Reporting further states that The Gentlemen can encrypt victim networks within hours and that its malware has worm-like or self-propagating lateral movement capabilities over SMB and administrative shares. A defining technical characteristic is centralized support for affiliates, especially defense evasion tooling. ESET reported that The Gentlemen equips affiliates with a standardized EDR-killer suite centered on the in-house GentleKiller framework. The group rapidly weaponizes bring-your-own-vulnerable-driver (BYOVD) proof-of-concepts to disable security tools before ransomware deployment. Reporting states that GentleKiller has multiple variants abusing different vulnerable or malicious kernel drivers and targets hundreds of processes associated with dozens of security products. Third-party tools observed in Gentlemen intrusions include HexKiller, ThrottleBlood, and HavocKiller. Additional reporting states the group uses BYOVD techniques with drivers such as ThrottleBlood.sys and viragt64.sys, and disables Microsoft Defender through PowerShell, exclusions, and policy changes. The ransomware itself is described as a Go-based cross-platform locker for Windows and Linux, with a separate ESXi variant in C. Reported features include XChaCha20 file encryption with Curve25519/X25519 key exchange, per-file ephemeral keys, intermittent encryption modes, shadow copy deletion, service termination, anti-recovery behavior, and optional self-spreading via a --spread argument. Reporting also states the group supports affiliates with tooling and troubleshooting, and that leaked internal chats showed use of AI-assisted tooling for coding and analysis of stolen data. The content links the group’s founder/administrator to a Russian national. Multiple reports identify hastalamuerte/zeta88 as Alexander Andreevich Yapaev of Izhevsk, Russia, and describe The Gentlemen as a Russian-speaking operation. Reporting also states the group prohibits work in Russia and CIS countries, consistent with many Russian-speaking ransomware operations. Notable victim reporting in the content includes Mackay Sugar in Australia, which The Gentlemen claimed on its leak site in June 2026. The content also references attacks or victim claims involving Complexul Energetic Oltenia and a pivot from Adaptavist into Arçelik. Internal leaks in 2026 reportedly exposed parts of the group’s infrastructure, tooling, payment information, negotiations, and methods, but reporting states operations continued afterward.